X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=c619856cef0b6cfb8cbe2b9edc573ff2a0d34de9;hb=a1dd5aff5fcc24d382c60a32a56bf6797b444d02;hp=af0e177a8d73d48ce1a0734597b09f315c7b723e;hpb=f50a3a803d19af29ca27e271b193cbddcad5f92e;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index af0e177a8..c619856ce 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -27,10 +27,6 @@
 #           is much like a local domain, execpt that the delivery location
 #           and allowed set of users is controlled by a virtual domain
 #           alias file and not /etc/passwd. Wildcards are permitted
-#  relayhosts - Hostnames that can send any arbitarily addressed mail to
-#           us. This is primarily only useful for emergency 'queue
-#           flushing' operations, but should be populated with a list
-#           of trusted machines. Wildcards are not permitted
 #  bsmtp_domains - Domains that we deliver locally via bsmtp
 #  submission-domains - Domains for which mail will be accepted via the
 #           submission port
@@ -266,6 +262,7 @@ tls_advertise_hosts = *
 smtp_enforce_sync = true
 
 log_selector = \
+               +subject \
                +tls_cipher \
                +tls_peerdn \
                +queue_time \
@@ -306,7 +303,14 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
                        {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
                        {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \
                        ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}
-HAS_DEFAULT_OPTIONS  = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}
+# Users from LDAP can decide whether to subscribe to default filtering.
+# If a user has not explicitly disabled the option, the assumption is in
+# favour of filtering.
+HAS_DEFAULT_OPTIONS = ${if and {\
+                       {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\
+                       {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\
+                       {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\
+                       }}
 <%- if @is_rtmaster -%>
 # This subject rewrite is embedded in double-quoted strings. As such, some of
 # the items need more escaping than usual, otherwise \N becomes simply "N" and
@@ -601,6 +605,15 @@ check_recipient:
           message       = Different profile, please retry
           log_message   = Only one profile at a time, please
 
+  warn    set acl_m_rdefopt = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+
+  warn    condition        = ${if eq{$acl_m_defopt}{}}
+          set acl_m_defopt = $acl_m_rdefopt
+
+  defer   condition     = ${if !eq{$acl_m_defopt}{$acl_m_rdefopt}}
+          message       = Different profile, please retry
+          log_message   = Only one default options profile at a time, please
+
   # Set a flag to indicate whether the current recipient
   # has explicitly requested greylisting
   warn    set acl_m_grey_recip = 0
@@ -1055,6 +1068,30 @@ check_message:
           condition       = ${if !eq {$acl_m_prf}{PopconMail}}
 	  message         = Your mailer is not RFC 2047 compliant: message rejected
 
+  discard condition      = ${if eq {$acl_m_prf}{blackhole}}
+          condition      = ${if bool_lax{$acl_m_defopt}}
+          condition      = ${if or {\
+                                    {match {$message_body}{Wenn Sie zuk&uuml;nftig keine weiteren Informationen erhalten m&ouml;chten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+                                   }\
+                            }
+          log_message    = Discarded suspicious content for $recipients
+
+  deny    condition      = ${if !eq {$acl_m_prf}{markup}}
+          condition      = ${if bool_lax{$acl_m_defopt}}
+          condition      = ${if or {\
+                                    {match {$message_body}{Wenn Sie zuk&uuml;nftig keine weiteren Informationen erhalten m&ouml;chten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+                                   }\
+                            }
+          message        = Rejected due to suspicious content
+
+  warn    condition      = ${if eq {$acl_m_prf}{markup}}
+          condition      = ${if bool_lax{$acl_m_defopt}}
+          condition      = ${if or {\
+                                    {match {$message_body}{Wenn Sie zuk&uuml;nftig keine weiteren Informationen erhalten m&ouml;chten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+                                   }\
+                            }
+          add_header     = X-debian-content-warning: yes
+
 <%- if has_variable?("clamd") && @clamd -%>
   discard condition       = ${if eq {$acl_m_prf}{blackhole}}
           malware         = */defer_ok
@@ -1483,7 +1520,11 @@ virt_direct_verify:
   modemask = 002
   directory_transport = address_directory
   domains = +virtual_domains
+<%- if @is_trackermaster -%>
+  local_part_suffix = +*
+<%- else -%>
   local_part_suffix = -*
+<%- end -%>
   local_part_suffix_optional
   file = $home/.forward-\
               ${if exists {${home}/.forward-${local_part}}{${local_part}}\
@@ -1513,7 +1554,11 @@ virt_direct:
   group = ${extract{group}{VDOMAINDATA}}
   headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
   modemask = 002
+<%- if @is_trackermaster -%>
+  local_part_suffix = +*
+<%- else -%>
   local_part_suffix = -*
+<%- end -%>
   local_part_suffix_optional
   pipe_transport = address_pipe
   reply_transport = address_reply